A SmartHome... NoT - Part I

Home monitoring and automation without compromising privacy nor security

I moved house a couple of months back to, what my partner likes to describe as, our "forever home". As such, I was keen to start looking into home monitoring / automation again as I knew things had progressed significantly since I last considered such things and I was keen to see what could be done. After lots of investigation I believe I have found the basis of a home automation solution which meets my current needs, should be extensible moving forward and which does not compromise the securty or privacy of my home.

This post is, I hope, the first in a series that discuss the various devices and software I use to monitor and automate my home.

Private by design

Firstly a word on privacy. While "smart devices" are everywhere nowadays, they almost all require connection to the internet and, often, a subscription to a "cloud" service. I wrote about this before and expressed my desire for smart devices to "drop the 'Inter' from IoT and expand the 'net' to become a 'Network of Things', or NoT" which could optionally be bridged to the internet if desired. To quote myself:

I've long loved the idea of home automation. From X10 and LightwaveRF through to modern Bluetooth and Wifi connected devices, I have played with dozens of technologies in search of home automation nirvana. But recently I have watched with growing bewilderment at the incredible number of "cloud-connected" home automation devices being released and the eagerness with which they're snapped up by naive consumers hungry to control everything from the carefree comfort of their iPhone.

You see, while you can buy a myriad of IoT devices off the shelf nowadays, they nearly all come with some form of "cloud-service" that is necessary in order for the device to work as sold. As the more wily of reader will no doubt be aware, this exposes your home network to innumerable security concerns, potential abuses and an external point of failure that cannot be closed/fixed without sacrificing some or all of the functionality of the new fangled device.

In short, the list of "off-the-shelf" devices I would feel comfortable having on my home network is very short and, until recently, I was resigned to having to build these devices myself using single board computers or Wifi connected microcontrollers. That is until a family of devices came to my attention that originated from the most unlikely of places...

Mi Smart Home

China isn't the first country that comes to mind when you think about privacy yet, with the release of the "Mi Smart Home" family of devices, the Chinese electronics manufacturer Xiaomi Inc seems to have delivered a smart-device eco-system that is privacy-friendly... albeit somewhat tacitly as we will see below.

These devices connect to your internal Wifi network via a Gateway device. In addition to providing the Zigbee to Wifi bridge, this gateway also provides an ambient light sensor, a very useful RGB light and a umm... not so useful speaker. This is all packaged in a small, round, 30 gram device about 8 centimeters in diameter and 3 cenitmeters deep. Frustratingly the gateway only comes with the Chinese/Australian type I plug so you need an adapter to use it in the UK which adds significantly to the depth (although I've taken to using a convenient extension lead instead).

To set up the Wifi Gateway device and add sensors, you have to install the Xiaomi Mi Home app which, to be frank, is a privacy nightmare. The list of permissions it needs is quite incredible:

Version 5.1.1 can access:

Device & app history

retrieve running apps

Identity

find accounts on the device

add or remove accounts

Calendar

read calendar events plus confidential information

add or modify calendar events and send emails to guests without owners' knowledge

Contacts

find accounts on the device

read your contacts

modify your contacts

Location

approximate location (network-based)

precise location (GPS and network-based)

SMS

read your text messages (SMS or MMS)

receive text messages (SMS)

send SMS messages

Phone

directly call phone numbers

reroute outgoing calls

read call log

read phone status and identity

write call log

Photos / Media / Files

read the contents of your USB storage

modify or delete the contents of your USB storage

Storage

read the contents of your USB storage

modify or delete the contents of your USB storage

Camera

take pictures and videos

Microphone

record audio

Wi-Fi connection information

view Wi-Fi connections

Device ID & call information

read phone status and identity

Other

download files without notification

interact across users

full licence to interact across users

transmit infrared

modify secure system settings

read Home settings and shortcuts

write Home settings and shortcuts

view network connections

create accounts and set passwords

read battery statistics

pair with Bluetooth devices

access Bluetooth settings

send sticky broadcast

change network connectivity

allow Wi-Fi Multicast reception

connect and disconnect from Wi-Fi

disable your screen lock

control flashlight

full network access

change your audio settings

control Near-Field Communication

read sync settings

run at startup

draw over other apps

use accounts on the device

control vibration

prevent device from sleeping

modify system settings

toggle sync on and off

install shortcuts

uninstall shortcuts

Scary huh! How can I possibly claim these devices are privacy friendly when you've basically just given a Chinese company permission to do pretty much anything it likes with your phone's hardware and data? Well, notice how I said you need the app to "set up the Wifi Gateway device and add sensors". Once they're setup you no longer need the app and, furthermore, once "local network functions" are enabled (more on this in a second) neither the gateway nor sensors need internet access to function.

So, how to go about using these sensors in a privacy friendly way?

Preparation

To get set up with these devices without compromising your privacy, you will need:

A dedicated VLAN and Wifi network for "smart home" devices

I recommend putting any 3rd party "smart" devices in an isolated environment within which you can easily enable or disable internet access. To do this I am using the VLAN feature of my Draytek 2860 router which involves creating a second VLAN on my network, enabling "Inter-LAN' routing so I could access the VLAN from my existing subnet and, finally, adding firewall rules to prevent devices on this VLAN from accessing the internet / other vlans.

A clean Android device

I had an old Android phone laying around on which I performed a hard-reset and wiped all user-data. With a clean device I could then install the app without worrying about sharing anything private with Xiaomi

Installation

First, install the Xiaomi Mi Home app on your clean Android device. On first run after installation you will be prompted for a region and asked to sign in. In order to use all the Mi Smart devices, you must select "Mainland China" for your region (this doesn't affect the language in the app) following which you can just create a new account to sign in.

Once the app is installed you can plug in a gateway. This results in a nice flashing yellow ring of light around the device... and a harsh female voice babbling Chinese at an almost intolerable volume; basically an audio and visual indication that the gateway is in "pairing" mode.

Go ahead and pair the gateway to the app following the walk-through here. At this point it's a good idea to also install any additional "sub devices" you have (i.e. the various Zigbee sensors) which can be done by following this walkthrough.

Finally, in order to use the gateway and sensors without the app and/or internet access, it is necessary to enable "local network functions". This can be done from the app by following the instructions here. Quite why Xiaomi decided to hide what its possible the killer feature of these devices behind a "secret" button I've no idea... fortunately it's an open secret and Xiaomi don't seem to be making any effort to conceal it further.

With all the above done, feel free to junk the app and disable internet access from the "smart device" subnet / ip range.

Usage

Once 'local network functions' have been enabled, each Gateway uses the multicast address 224.0.0.50 to broadcast UDP messages on port 9898 from the gateway and sub-devices. The gateway publishes a "heartbeat" messages every 10-15 seconds or so meaning you can easily determine everything is working by spinning up Wireshark (on a device connected to the "smart device" subnet) filtering out anything that isn't a UDP message (ip.proto == "udp") and looking for messages from the gateway IP address. You should eventually see something like this:

Once you can see these messages you can start interacting with the gateway and devices using various commands. For example, to get a list of the sub-devices from a gateway you can send a 'get_id_list' command using a UDP packet container this string (as ASCII encoded binary) to the gateway's IP address, again on port 9898:

{"cmd":"get_id_list"}

This will result in a get_id_list_ack response containing a list of sid (aka 'simple' id) values for devices registered with the gateway (including the gateway sensor/status itself) as follows:

You're then able to retrieve the device status using the read command for each sid:

{"cmd":"read","sid":"7811dcb06972"}

Which will return a read_ack response containing device specific information in the 'data' property. For example, if you send a read command specifying the sid of the gateway you will receive something like the following:

Here's one I made earlier...

I used the above information to create a small application for listening to and interacting with the gateway and devices. Mostly out of interest, I used Microsoft's Orleans framework to create a console application which wraps up the interaction with various devices into strongly typed agents (also an agent approach seemed to nicely mirror the segregated nature of the devices themselves).

I didn't take this too far as I subsequently decided to use an "off-the-shelf" system for interacting with the Xiaomi devices (the subject of my next "smart home" post) but it's a decent proof-of-concept. I've published the source in a repository on Github; feel free to have a play and drop me a line with any questions you might have.

In the next post I'll disucss the off-the-shelf system I'm now using to privately interact with the Xiaomi devices.